In a report published yesterday, Symantec confirmed that the zero-day Flash vulnerability exposed by the breach on Hacking Team yesterday is remotely exploitable, and warns that zero-day attacks may occur as a result. The analysis of the vulnerability indicates that a fully-patched Flash installation is remotely exploitable by loading a vulnerable or specially crafted file.
Such zero-day attacks are fairly rare; typically, vulnerabilities are reported using 'responsible disclosure' where the details of the bug isn't made publicly available until after the code has been fixed and an update published. In the case of Adobe Flash, this typically happens on a monthly basis, with the next update ordinarily expected in the near future. However this vulnerability wasn't reported, and was being used by Hacking Team to provide remote exploits.
Hacking Team were themselves hacked yesterday which included information about the Flash bugs now in the wild. When such a bug is released publicly and no patch is available, there is a race against time for the providers of the software to fix and release a patch.
In the meantime, Symantic recommends disabling Flash and provides instructions for doing so. Since Chrome ships with Flash enabled by default, users of Chrome browsers may be vulnerable wtihout knowing it, especially if they've never knowingly installed Flash before.